President Trump speaks to tech company leaders at the American Technology Council roundtable at the White House in June 2017. (Jabin Botsford/The Washington Post)

By Neema Singh Guliani

October 3, 2018

Neema Singh Guliani is senior legislative counsel at the American Civil Liberties Union.

After years of claiming they could self-regulate, the tech industry is suddenly receptive to the idea of federal privacy legislation. But don’t let this post-Cambridge Analytica “mea culpa” fool you into believing these companies have consumers’ best interests in mind. Far from it.

This seeming willingness to subject themselves to federal regulation is, in fact, an effort to enlist the Trump administration and Congress in companies’ efforts to weaken state-level consumer privacy protections.

It has often been state legislatures — not Congress — that have led efforts to protect consumer privacy. California was the first in the nation to require that companies notify consumers of a data breach (other states have since followed suit), the first to mandate that companies disclose through a conspicuous privacy policy the types of information they collect and share with third parties, and among the first to recognize data privacy rights for children. Illinois set important limits on the commercial collection and storage of biometric information, such as fingerprints and face prints. Idaho, West Virginia, Oklahoma and other states have passed laws to protect student privacy.

The private sector knows this, and many companies are looking to put a stop to it. The U.S. Chamber of Commerce recently urged Congress to “adopt a federal privacy framework that preempts state law.” The Internet Association, which represents digital companies such as Amazon, Airbnb, Google, Microsoft, Lyft, Twitter and Uber, has similarly urged preemption of state laws. And recent reports suggest that other tech companies, including Facebook, IBM and Microsoft, are working with Trump administration officials behind the scenes to lobby Congress to do the same.

And some people seem to be falling for it. After all, the Senate Commerce Committee held a hearing on consumer privacy protections last week that included many industry representatives but not one representative of consumer interests.

A federal law wiping out — otherwise known as preempting — state protections would be a bad deal for consumers. It would likely put existing consumer protections, many of which are state-led, on the chopping block and leave states bound by a federal law that could prevent additional consumer privacy protections from ever seeing the light of day. State regulators could lose the authority to sue or fine companies that violate their laws. And consumers may even be barred from taking companies to court.

Industry wrongly argues that federal preemption is needed to prevent a “patchwork” of regulation — that is, a situation where states augment federal standards with their own laws. If federal standards are strong and adapt to new threats, states may see no need to pass their own laws to supplement these standards. But preserving their ability to act if this is not the case can be good for the public. It’s because of a patchwork that Equifax ultimately notified all consumers of its data breach, choosing to apply certain state standards nationally. And it’s because of a patchwork that states have prohibited discrimination on the basis of sexual orientation, despite the fact that our laws at the federal level are still lacking.

Particularly in the area of consumer privacy, we should be wary of preemption that could lock in place federal standards that are soon obsolete. Today, even refrigerators can collect sensitive data. New technology will likely require additional protections and experimenting with different solutions, and states have a vital role in fashioning those solutions.

The private sector is making a calculated move here after reckoning with the fact that there’s popular momentum for federal privacy legislation following revelations of Cambridge Analytica’s misuse of Facebook data. Companies know that many states have mustered the political will to pass strong privacy protections that address consumer concerns. And they know that Congress is so paralyzed by gridlock that it has been unable to act even where there is overwhelming bipartisan agreement. So many see here an opportunity to try to enact weak federal protections and kneecap state privacy efforts in the process.

This doesn’t mean we should give up on strong federal privacy legislation; we need it now more than ever. But any such legislation must put consumers in control of their own data. It must require companies to clearly inform consumers about their data practices and get consent to retain, share or otherwise use consumer data. It must address coercive practices that condition services on consumers’ consent to unnecessary data collection, and put in place limits on how data can be retained and used. And, perhaps most importantly, it must give the government a large stick for enforcement and consumers a way to take companies to court that violate privacy.

Critically, this federal legislation should act as a floor, not a ceiling, for privacy interests. We should be highly skeptical of any proposal that would wipe out existing privacy laws that protect consumers or foreclose states from acting to address future privacy threats. Such preemption from Congress would be a win for business interests at the expense of the public.